FF address bar not working when using ABE rules

Discussions about the Application Boundaries Enforcer (ABE) module
SteveO

FF address bar not working when using ABE rules

Post by SteveO » Sun Dec 04, 2016 12:41 pm

Hello,

I use Noscript ABE since many years. But I have the feeling something has changed now.

For example I have this rule since years in my ABE:

Site .twitter.com .twimg.com
Accept from SELF
Accept from .twitter.com .twimg.com
Deny INCLUSION


But now (maybe due to recent FF updates) when I type twitter.com into
FireFox's address bar and submit, nothing happens. The site is not loaded.

Same happens when clicking on links. For example I search on google.com for
some product and google search results show a link to a product on amazon.com.
I cannot click on the link to the amazon webpage, when having this rule in ABE:

Site .amazon.com
Accept from SELF
Accept from .amazon.com
Deny INCLUSION


Is this a bug or a problem of ABE with latest FF version?

Help is really appreciated! It started to act like this out of a sudden.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: FF address bar not working when using ABE rules

Post by barbaz » Sun Dec 04, 2016 2:56 pm

*Always* check the changelogs BEFORE updating that important software!
-

SteveO

Re: FF address bar not working when using ABE rules

Post by SteveO » Sat Jan 14, 2017 6:18 pm

The problem is still there, is somebody working on a fix?
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

SteveO

Re: FF address bar not working when using ABE rules

Post by SteveO » Sun Feb 19, 2017 12:29 pm

Hello,

[1]
I still cannot reach pages anymore directly via address bar when they are in my ABE list.

Is somebody working on a fix for that? :/

Somebody linked another thread but still it is unclear to me what the conclusion of the technical discussion there was?

[2]
Even here in the noscript forum I noticed the ReCAPTCHA input box from Google only appears
when I disable all my ABE rules although I have temporarily allowed all scripts.

Why did the behavior change?

In the past, when I temporarily allowed scripts from Google etc there was no problem,
the captcha boxes appeard. But now it seems they are still blocked by my ABE rules
so I always have to disable ABE when I want to see them. This is really annoying!

Site .google.de .google.com .gstatic.com .google-analytics.com .googlesyndication.com .googleadservices.com .googletagservices.com .googletagmanager.com
Accept from SELF
Accept from .google.de .google.com .gstatic.com .google-analytics.com .googlesyndication.com .googleadservices.com .googletagservices.com .googletagmanager.com
Deny INCLUSION


Help is really appreciated!
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

SteveO

Re: FF address bar not working when using ABE rules

Post by SteveO » Sun Feb 19, 2017 12:48 pm

Regarding [2], this is how it looks like:

First no ReCAPTCHA is displayed although I have allowed everything shown NoScript (top-left)
Image

Then I have to disable ABE
Image

To finally see the ReCAPTCHA
Image

In the past I never had to disable ABE. At some point a FireFox update or NoScipt update
was installed and then it suddenly behave like this.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: FF address bar not working when using ABE rules

Post by barbaz » Sun Feb 19, 2017 5:30 pm

1) There wasn't a conclusion. Giorgio will get to that when he gets the chance.

2) That ABE rule should block the reCAPTCHA, just as it's doing now. This should get it working -

Code: Select all

Site .google.de .google.com .gstatic.com .google-analytics.com .googlesyndication.com .googleadservices.com .googletagservices.com .googletagmanager.com
Accept from .google.de .google.com .gstatic.com .google-analytics.com .googlesyndication.com .googleadservices.com .googletagservices.com .googletagmanager.com forums.informaction.com
Deny INCLUSION
*Always* check the changelogs BEFORE updating that important software!
-

SteveO

Re: FF address bar not working when using ABE rules

Post by SteveO » Tue Feb 21, 2017 5:01 pm

barbaz wrote:1) There wasn't a conclusion. Giorgio will get to that when he gets the chance.

2) That ABE rule should block the reCAPTCHA, just as it's doing now. This should get it working -

Code: Select all

Site .google.de .google.com .gstatic.com .google-analytics.com .googlesyndication.com .googleadservices.com .googletagservices.com .googletagmanager.com
Accept from .google.de .google.com .gstatic.com .google-analytics.com .googlesyndication.com .googleadservices.com .googletagservices.com .googletagmanager.com forums.informaction.com
Deny INCLUSION
Thanks for the clarification!

Regarding [1] I will be patient, and thanks for taking the efforts to fix it :-)

Regarding [2] Maybe I am wrong but I am 99,9% sure that this is a new behavior. I have those rules for many years
and never touched them. In the past, when I went on a page and in the quick menu temporarily allowed scripts
for this page, also the ABE rules seemed to be deactivated for this page (at least I always got all kinds of CAPTCHAS displayed).

This was nice. But now, when I visit some random page and temporarily allow scripts, I still need to disable
ABE somewhere deep in the settings (or always add the site to the "Accept from" line) to see CAPTCHAS etc.
This is very cumbersome!

Therefore I would like to request the following "feature", as the behavior of NoScript has obviously changed:
- When temporarily allowing scripts on a page, also treat this page automatically as being part of the
"Accept from" line in the ABE rules (kind of implicit behavior) or disable ABE for this page
- OR if this would conflict with the way ABE was designed, add another option to the quick menu
to temporarily disable ABE for a given site (without the need to add/remove it from the ABE rules)

Many thanks
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: FF address bar not working when using ABE rules

Post by barbaz » Tue Feb 21, 2017 6:41 pm

SteveO wrote:Therefore I would like to request the following "feature", as the behavior of NoScript has obviously changed:
- When temporarily allowing scripts on a page, also treat this page automatically as being part of the
"Accept from" line in the ABE rules (kind of implicit behavior) or disable ABE for this page
- OR if this would conflict with the way ABE was designed, add another option to the quick menu
to temporarily disable ABE for a given site (without the need to add/remove it from the ABE rules)
As you know, NoScript blocks scripts and other active content by default. The purpose is to vastly reduce attack surface from known and unknown threats. This is why, when temporarily allowing scripts, it's important to be careful - you are increasing potential attack surface.

ABE provides a different sort of protection. The purpose of ABE is to defend against CSRF. You make rules that define a site's expected behavior, and let ABE block the unexpected stuff as attempted CSRF. That's an attack foiled.

Now imagine that whenever temporarily allowing scripts on a page, ABE becomes disabled for that pag...ok wat??? That's like having seat belts and airbags in your golf cart, but not your Bugatti Veyron.

Ok, you say, but a quick toggle to disable ABE wouldn't have to be used on every Temp-Allowed site. So it should lessen that risk, right? Nope, it just changes the risk slightly - viewtopic.php?f=10&t=21541

I'm thinking you're looking for something more like µMatrix.
*Always* check the changelogs BEFORE updating that important software!
-

SteveO

Re: FF address bar not working when using ABE rules

Post by SteveO » Wed Feb 22, 2017 1:36 pm

barbaz wrote:ABE provides a different sort of protection. The purpose of ABE is to defend against CSRF.
Actually I also use it to block spying websites, for example facebook like button tracking internet users.
barbaz wrote:Ok, you say, but a quick toggle to disable ABE wouldn't have to be used on every Temp-Allowed site. So it should lessen that risk, right? Nope, it just changes the risk slightly
Hmm sorry cannot agree on that.

Two things:
- I cannot put every site that uses ReCAPTCHA (or similar) manually to my "ABE Allow from" rules because it is cumbersome and I don't want to maintain a list of all those sites
- I cannot allow every site to load ReCAPTCHA because I don't want to load stuff from these Google domains per default
=> The consequence is, that I need a way to quickly AND temporarily disable ABE for a given domain in the quick menu, same as we currently can do for scripts

Regarding "ah it is dangerous", I think if somebody uses ABE he already is smart enough to not disable it when being on some suspicious website.
And since scripts can be temporarily disabled, there is no reason to not allow the same thing for ABE.

At the moment I am forced to always open ABE settings and disable it manually. Very annoying and frustrating experience.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: FF address bar not working when using ABE rules

Post by barbaz » Wed Feb 22, 2017 5:56 pm

SteveO wrote:
barbaz wrote:ABE provides a different sort of protection. The purpose of ABE is to defend against CSRF.
Actually I also use it to block spying websites, for example facebook like button tracking internet users.
You can also unscrew stuff with a fingernail. Does that mean the purpose of fingernails is to unscrew stuff?
SteveO wrote:Two things:
- I cannot put every site that uses ReCAPTCHA (or similar) manually to my "ABE Allow from" rules because it is cumbersome and I don't want to maintain a list of all those sites
- I cannot allow every site to load ReCAPTCHA because I don't want to load stuff from these Google domains per default
=> The consequence is, that I need a way to quickly AND temporarily disable ABE for a given domain in the quick menu, same as we currently can do for scripts
You "need" the ability to quickly allow something you have personally, deliberately defined as CSRF? Sounds reasonable on the face of it. Besides, what could go wrong? :roll:
SteveO wrote:Regarding "ah it is dangerous", I think if somebody uses ABE
... which every NoScript user who leaves the default setting of ABE enabled does...
SteveO wrote:he already is smart enough to not disable it when being on some suspicious website.
Err, no, that's not how it works. Intelligence has surprisingly little to do with what users do sometimes.
SteveO wrote:And since scripts can be temporarily disabled, there is no reason to not allow the same thing for ABE.
ABE is completely independent of script blocking. So by the same logic, since toucans don't wear pants, there is no reason for snowboarders to wear pants.
SteveO wrote:At the moment I am forced to always open ABE settings and disable it manually. Very annoying and frustrating experience.
Yes, unscrewing something with a fingernail is a very annoying and frustrating experience, not to mention painful. ;)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: FF address bar not working when using ABE rules

Post by Thrawn » Wed Feb 22, 2017 11:08 pm

SteveO wrote: I also use it to block spying websites, for example facebook like button tracking internet users.
As you have discovered, while it's possible to do that with ABE, it's rather cumbersome.

You would likely fare much better with an extension specifically designed to block trackers. There are many candidates; barbaz mentioned uMatrix, which is a pretty comprehensive solution, although it's not for the faint of heart. uBlock Origin, by the same author, is easier if you want install-and-forget tracking protection. Adblock Plus is, of course, the most popular extension on addons.mozilla.org. I could go on.

The only major one I really wouldn't recommend is Ghostery, which has a history of not playing nicely with others.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: FF address bar not working when using ABE rules

Post by barbaz » Wed Feb 22, 2017 11:25 pm

Thrawn wrote:You would likely fare much better with an extension specifically designed to block trackers. There are many candidates; barbaz mentioned uMatrix, which is a pretty comprehensive solution,
And let's not forget -
SteveO wrote:I need a way to quickly AND temporarily disable
In µMatrix, two clicks and it's temporarily disabled for a site. One more click in its interface to reload the page, and you're golden.

For further discussion of µMatrix specifics, please go here - viewtopic.php?f=18&t=20815
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply